Attributes in cryptographic credentials
Method and apparatus for generating cryptographic credentials certifying user attributes and making cryptographic proofs about attributes encoded in such credentials. Attributes are encoded as prime numbers E in accordance with a predetermined mapping and a cryptographic credential is generated encoding E. To prove that an attribute encoded in a cryptographic credential associated with a proving module of the system is a member of a predetermined set of user attributes, without revealing the attribute in question, the proving module determines the product Q of respective prime numbers corresponding to the attributes in the set in accordance with the predetermined mapping of attributes to prime numbers. The proving module demonstrates to the receiving module possession of a cryptographic credential encoding a secret value that is the prime number E, and then whether this secret value divides the product value Q.
Latest IBM Patents:
- INTERACTIVE DATASET EXPLORATION AND PREPROCESSING
- NETWORK SECURITY ASSESSMENT BASED UPON IDENTIFICATION OF AN ADVERSARY
- NON-LINEAR APPROXIMATION ROBUST TO INPUT RANGE OF HOMOMORPHIC ENCRYPTION ANALYTICS
- Back-side memory element with local memory select transistor
- Injection molded solder head with improved sealing performance
This application is a continuation of and claims priority from U.S. application Ser. No. 12/548,699 filed on Aug. 27, 2009, which in turn claims priority under 35 U.S.C. 119 from European Patent Applications 08105173.2 and 08105172.4, both filed Aug. 28, 2008, the entire contents of all of the aforementioned applications are incorporated herein by reference.
BACKGROUND OF THE INVENTION1. Field of the Invention
The present invention relates generally to encoding of attributes in cryptographic credentials. More particularly it relates to proofs about attributes so encoded. Still more particularly, aspects of the present invention relate to so-called anonymous credential systems.
2. Description of Related Art
Cryptographic credentials are used in a variety of security and privacy-sensitive applications to enable a user or proving party (the “prover”), to prove certain information to a verifying party (the “verifier”). Such a credential is essentially a certificate generated via a cryptographic process by an issuing party (the “issuer”) who has in some manner verified the information for which the credential is issued. The issuer, who may be the verifier but is more typically a trusted third party, supplies the credential to the user who can then use the credential as verification of the information when required. Credentials might be transmitted over data communications channels to a user's receiving module, such as a personal computer or mobile phone, or can be recorded on some information storage medium such as a chip or card which is supplied to the user.
Typical applications include government or electronic ID cards which encode personal or security-sensitive information. Such a card might be inserted in some form of reader module, with communication occurring between the card reader and a processor on the card, or between the reader and a remote verifier module, to perform a cryptographic verification process. There are also numerous applications involving access to services or other resources via data communications networks such as the Internet or telecommunications networks. An exemplary system might involve a user with a laptop, a mobile phone or other data processing module in communication with a remote server via the Internet, with verification of an appropriate cryptographic credential being required before the user is permitted access to a restricted web site.
Information is certified by a cryptographic credential via an encoding process whereby the information is represented by some value or function which is encoded in the credential via a cryptographic algorithm. Cryptographic proofs can be then be made about the credential and the information it encodes for subsequent verification purposes. Preferably, a credential system will be anonymous, allowing “zero-knowledge” proofs to be made which do not reveal any other information to a verifier than that which is to be proved. The items of information certified by cryptographic credentials are referred to generally herein as “user attributes”. Such an attribute can be any item of information attributed to a user, relating, for example, to some property, quality, feature or other item belonging to, describing or otherwise associated with the user, where the “user” here may in general be a person or a module.
Various different types of attributes might be utilized in credential systems. For example, binary attributes are attributes which can either be present or not, in essence flags indicating either true or false, e.g. whether a user is a civil servant. Finite set attributes provide another example. These are finite sets of discrete attribute values where a user may realize one possible value, examples here being hair colour, city of birth, security clearance and occupation. For simplicity, the term “attribute” is used herein to mean both “attribute” and “attribute value” as the context requires. Various other attribute types are possible as discussed below. Whatever the attribute type, for many applications the number of attributes to be encoded in cryptographic credentials can be very large.
There are currently two main approaches for encoding attributes in credentials as described above. The standard approach is to designate a message mj to an attribute and set mj to the encoded attribute value. This approach uses a whole message field per attribute. In more detail, attributes are distributed over multiple attribute bases so that each attribute is encoded in its own attribute base. That is, each attribute is encoded as one exponent mj in a discrete logarithm representation gm
An example of an anonymous credential system using this technique is the Camenisch-Lysyanskaya credential system which is discussed further below. This technique generates anonymous credentials by producing Camenisch-Lysyanskaya signatures on a message set including the encoded attribute values. Zero-knowledge proofs can then be made about the encoded attributes, e.g. to reveal one attribute to a verifier without revealing any others in the credential.
A common scenario is where a user wishes to prove that her credential encodes an attribute which is, or is not, a member of a given set, e.g. on a particular list of attributes, without revealing the attribute in question. For instance, a user may need to prove that her country of birth is (or is not) one of a given list of countries. A known method for doing this is to prove that the attribute encoded in the credential is either the first one, or the second one, or the third one, etc., of the attributes in the set (or conversely that the encoded attribute is not the first one, and is not the second one, and so on).
SUMMARY OF THE INVENTIONAccording to a first aspect of the present invention, a computer implemented method for generating a cryptographic credential for use in certifying a plurality of user attributes includes the steps of: encoding, in the computer, each attribute as a prime number in accordance with a predetermined mapping of attributes to prime numbers; calculating, in the computer, the product of the prime numbers encoding the attributes; and generating, in the computer, a cryptographic credential encoding the product for use in certification.
According to another aspect of the present invention, a computer implemented method is provided for determining, in a verifying module of a data processing system, whether a cryptographic credential associated with a proving module of the system certifies a specified user attribute. The cryptographic credential encodes the product E of a plurality of prime numbers, each encoding a respective user attribute in accordance with a predetermined mapping of attributes to prime numbers. The method includes the steps of: communicating with the verifying module to demonstrate possession of a cryptographic credential encoding E; and determining whether a prime number e encoding the specified attribute in accordance with the mapping divides the value E encoded in the credential, thus certifying the specified user attribute.
In a further aspect of the present invention, a computer implemented method for proving to a verifying module of a data processing system that a cryptographic credential associated with a proving module of the system certifies at least one of a predetermined set of user attributes is provided. The cryptographic credential encodes the product E of a plurality of prime numbers. Each prime number encodes a respective user attribute in accordance with a predetermined mapping of attributes to prime numbers. The method includes the steps of: demonstrating, to the verifying module, possession of a cryptographic credential encoding E; and communicating with the verifying module to prove possession of a secret number d which divides both the value E encoded in the credential and a value Q that is the product of respective prime numbers encoding the attributes in the set in accordance with the predetermined mapping of attributes to prime numbers. Possession of the secret number proves the certification.
In yet another aspect of the present invention, apparatus is provided for generating a cryptographic credential certifying a plurality of user attributes. The apparatus includes control logic adapted for: encoding each attribute as a prime number in accordance with a predetermined mapping of attributes to prime numbers; calculating the product of the prime numbers encoding the attributes; and generating a cryptographic credential encoding the product.
A still further aspect of the present invention provides a computer implemented method for determining, in a verifying module of a data processing system, whether a user attribute encoded in a cryptographic credential associated with a proving module of the system is a member of a predetermined set of user attributes. The cryptographic credential encodes the user attribute as a prime number E in accordance with a predetermined mapping of attributes to prime numbers. The method includes the steps of: determining, in the computer, a product value Q which is the product of respective prime numbers corresponding to the attributes in the set in accordance with the predetermined mapping of attributes to prime numbers; communicating with the verifying module to demonstrate possession of a cryptographic credential encoding a secret value that is the prime number E; and demonstrating to the verifying module, that the secret value divides the product value Q, thus demonstrating that the user attribute is a member of the set.
Another aspect of the present invention provides a computer implemented method for verifying, at a verifying module of a data processing system, whether a user attribute encoded in a cryptographic credential associated with a proving module of the system is a member of a predetermined set of user attributes. The cryptographic credential encodes the user attribute as a prime number E in accordance with a predetermined mapping of attributes to prime numbers. The method includes the steps of: communicating with the proving module to verify possession by the proving module of a cryptographic credential encoding a secret value E; and communicating with the proving module to determine whether the secret value divides a product value Q that is the product of respective prime numbers corresponding to the attributes in the set in accordance with the predetermined mapping of attributes to prime numbers.
Yet another aspect of the present invention provides a proving module of a data processing system for proving to a verifying module of the system whether a user attribute encoded in a cryptographic credential associated with the proving module is a member of a predetermined set of user attributes. The cryptographic credential encodes the user attribute as a prime number E in accordance with a predetermined mapping of attributes to prime numbers, the proving module includes a communications interface for communicating with the verifying module and control logic adapted to: determine a product value Q that is the product of respective prime numbers corresponding to the attributes in the set in accordance with the predetermined mapping of attributes to prime numbers; communicate with the verifying module via the communications interface to demonstrate possession of a cryptographic credential encoding a secret value being that is the prime number E; and communicate with the verifying module via the communications interface to prove whether the secret value divides the product value Q.
In accordance with other aspects of the invention, computer readable storage media are provided. The computer readable storage media include computer executable program instructions that, when executed, will cause a computer to perform one or more of the foregoing methods.
Preferred embodiments of the present invention will now be described, by way of example, with reference to the accompanying drawings in which:
Proof methods embodying the present invention are based on the use of cryptographic credentials which encode attributes as prime numbers. Specifically, an attribute is encoded in a credential in the form of a prime number E which maps to that attribute according to a predetermined mapping of attributes to prime numbers. This forms the basis for efficient proofs as to whether an attribute encoded in the credential is a member of a given set, i.e. that the attribute is, or conversely is not, a member of that set. This is done by proving whether the prime number E encoded in the credential divides (i.e. is an integral factor of) the product value Q, where Q is the product of the prime numbers corresponding to the attributes in the set in accordance with the aforementioned mapping.
The positive proof is made by showing that E does divide the product value Q, and the negative proof by showing that E does not divide Q. The prime property of the encoded attribute values ensures that the divisibility of E into Q is determinative for the set membership proof in both cases. The proof is made while keeping the attribute in question secret, i.e. without revealing the attribute to the verifier. The prover demonstrates possession of a credential encoding a secret value, the prime number E, and that the secret value encoded in the credential divides the product value Q. This technique offers efficient set membership proofs, both positive and negative, in credential systems. For example, in preferred embodiments of the present invention the proofs take at most time and space that is logarithmic in the number of set elements. Embodiments of the present invention thus allow modules with limited computational capacity to cope with substantially large attribute sets.
In general, the proving and verifying modules can be implemented by any form of data processing module, component or system, and the cryptographic credential may be associated with a proving module in a variety of ways. For example, a credential could be recorded in a proving module, read by a proving module, or otherwise accessible to a proving module for the purpose of communicating with the verifying module.
The predetermined mapping of attributes to prime numbers will generally be known to the verifier, and is typically published for access by provers and/or verifiers. Thus a verifier might specify an attribute to be verified by specifying the corresponding prime, or, in the case of multiple attributes, the product x of the appropriate primes. Embodiments can be envisaged where the credential is supplied to the verifier such that the value E is revealed, in which case the step of proving whether e (or x) divides E could be performed by the verifier.
In preferred embodiments, the proving module demonstrates possession of the credential without revealing the value E to the verifying module. This provides the basis for zero-knowledge proofs and in particular allows the proving module to demonstrate possession (or not) of a particular attribute or attributes without revealing any other attributes encoded in the credential.
Also, the product value Q might therefore be calculated by the prover or the verifier. Hence the step of determining the product value Q at the proving module can be achieved in a variety of ways, for example by receiving this value from the verifying module or by calculating this value for a list of attributes supplied by the verifying module.
Methods embodying this aspect of the present invention exploit cryptographic credentials generated by methods embodying the first aspect of the present invention to prove that a user possesses one or more attributes in a given set, e.g. on a particular list of attributes, without revealing the attribute(s) in question. This is done by proving knowledge of a secret number d which divides both the value E encoded in the credential and the product Q of the prime numbers which map to respective attributes in the set in accordance with the aforementioned mapping. The existence of this number proves that one or more of the attributes encoded in the credential must be on the list. The proof can be made for a single attribute, in which case the secret number d will be the prime number e encoding that attribute, or a plurality of attributes, in which case the number d will be the product of the primes encoding those attributes.
Methods embodying the present invention can implement proofs for more than one user attribute. In particular, a plurality of attributes may be encoded in a credential as respective prime numbers according to the defined mapping of attributes to primes. A proof that more than one of the encoded attributes is or is not a member of the given set could then be made by performing the divisibility proof described above individually for each attribute.
Alternatively, it can be proved that a plurality of attributes encoded in the credential are all members of the set by (a) calculating an attribute product X being the product of the respective prime numbers encoding the attributes in question according to the defined mapping, and (b) proving that the attribute product X divides the product value Q. The prime property of the encoded attribute values means that if X divides Q then each individual attribute value must also divide Q, and hence that each attribute is a member of the specified set.
The cryptographic credential will usually encode other elements in addition to the prime number(s) encoding the attribute(s), a typical example being a secret (private) key of the user. In general, the prime number(s) could be encoded in any desired manner in the credential, though preferred embodiments encode each prime number as an exponent in a discrete logarithm representation. Various techniques can also be used for generating the cryptographic credential, though this is conveniently done by producing a cryptographic signature on a message encoding the product. Particularly preferred embodiments employ an anonymous credential system based on Camenisch-Lysyanskaya signatures as described further below.
The present invention also extends to data processing systems including proving and verifying modules as described above. Moreover, it is to be understood that, in general, where features are described herein with reference to an embodiment of one aspect of the present invention, corresponding features may be provided in embodiments of another aspect of the present invention.
The preferred embodiments of the present invention detailed below employ a cryptographic credential system based on Camenisch-Lysyanskaya signatures. These are described in detail in: “A Signature Scheme with Efficient Protocols”, J. Camenisch and A. Lysyanskaya, in S. Cimato, C. Galdi and G. Persiano editors, Security in Communications Networks, Third International Conference, SCN 2002, volume 2576 of Lecture Notes in Computer Science, pages 268-289, Springer Verlag, 2003; and “Efficient Non-transferable Anonymous Multi-show Credential System with Optional Anonymity Revocation”, J. Camenisch and A. Lysyanskaya, in B. Pfitzmann, editor, Advances in Cryptology—EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 93-118, Springer Verlag, 2001. A brief description of the properties of Camenisch-Lysyanskaya signatures is given below to assist understanding of the embodiments to be described.
Assumptions: Strong RSA Assumption (See A method for obtaining Digital Signatures and public-key Cryptosystems, R. L. Rivest, A. Shamir, L. Adleman, Communications of the ACM, 21(2):120-126. February 1978.): given an RSA modulus n and a random element gχZ*n, it is hard to compute hχZ*n and integer e>1 such that he≡g mod n. The modulus n is of a special form pq, where p=2p′+1 and q=2q′+1 are safe primes.
Integer Commitments: We recall the Pederson commitment scheme (as detailed in “Non-interactive and Information-theoretic Secure Verifiable Secret Sharing”, T. P. Pedersen, in J. Feigenbaum, editor, Advances in Cryptology—CRYPTO '91, volume 576 of Lecture Notes in Computer Science, pages 129-140, Springer Verlag, 1992) in which the public parameters are a group G of prime order q, and generators (g0, . . . , gm). In order to commit to the values (v0, . . . , vm)χZq, pick a random rχZq and set C=Com(v0, . . . , vm; r)=g0rΠi=1mgiv
Damgård and Fujisaki (“An integer commitment scheme based on groups with hidden order”, I. Damgård and E. Fujisaki, http://eprint.iacr.org/2001, 2001) show that if the group G is an RSA group and the committer is not privy to the factorization of the modulus, then in fact the Pedersen commitment scheme can be used to commit to integers of arbitrary size.
Discrete-Logarithm-Based, Zero-Knowledge Proofs: The Camenisch-Lysyanskaya signature scheme makes use of several known results for proving statements about discrete logarithms. When referring to such proofs, we will follow the notation introduced by Camenisch and Stadler (J. Camenisch and M. Stadler. “Efficient Group Signature Schemes for Large Groups”, J. Camenisch and M. Stadler, in B. Kaliski, editor, Advances in Cryptology—CRYPTO '97, volume 1296 of Lecture Notes in Computer Science, pages 410-424, Springer Verlag, 1997) for various proofs of knowledge of discrete logarithms and proofs of the validity of statements about discrete logarithms. For instance,
PK{(α,β,δ):y=gαhβ·{tilde over (y)}={tilde over (g)}α{tilde over (h)}β·(u[α[v)}
denotes a “zero-knowledge Proof of Knowledge of integers α, β, and δ such that y=gαhβ and {tilde over (y)}={tilde over (g)}α{tilde over (h)}β holds, where u[α[v and where y, g, h, {tilde over (y)}, {tilde over (g)}, {tilde over (h)} are elements of some groups G=g=h and G={tilde over (g)}={tilde over (h)}. The convention is that Greek letters denote quantities of which knowledge is being proved, while all other values are known to the verifier.
Application of the Fiat-Shamir heuristic (“How to Prove Yourself: Practical Solutions to Identification and Signature Problems”, A. Fiat and A. Shamir, in A. M. Odlyzko, editor, Advances in Cryptology—CRYPTO '86, volume 263 of Lecture Notes in Computer Science, pages 186-194. Springer Verlag, 1987) turns such proofs of knowledge into signatures on some message m; denoted as, for example, SPK{(α):y=gα}(m). Given a protocol in this notation in the following description, the derivation of an actual protocol implementing the proof will be apparent to those skilled in the art.
Camenisch-Lysyanskaya Signatures: A minor and straightforward variant of the Camenisch-Lysyanskaya (CL) signatures discussed in “A Signature Scheme with Efficient Protocols” (referenced in full above) allows messages to be negative integers as well. Let lm, le, ln, lr and L be system parameters. lr is a security parameter, and the meanings of the others will become apparent in the following.
Key Generation: On input ln, choose an ln-bit RSA modulus n such that n=pq, p=2p′+1, q=2q′+1, where p, q, p′, and q′ are primes. Choose, uniformly at random, R0, . . . , RL-1, S, ZχQRn. Output the public key (n, R0, . . . , RL-1, S, Z) and the secret key p. Message space is the set {(m0, . . . , mL-1)}: miχ{0,1}l
Signing Algorithm: On input m0, . . . , mL-1, choose a random prime number e of length le>lm+2, and a random number v of length lv=ln+lm+lr, where lr is a security parameter. Compute
The signature consists of (e, A, v).
Verification Algorithm: To verify that the tuple (e, A, v) is a signature on message (m0, . . . , mL-1), check that Z≡AeR0m
Proving Knowledge of a Signature: A prover can prove possession of a CL signature without revealing any other information about the signature. If A was a public value, we could do so by proving knowledge representation of Z with respect to R0, . . . , RL-1, S and A. However, making A public would destroy privacy as that would make all transactions linkable. Luckily, one can randomize A: given a signature (A, e, v), the tuple (A′:=AS−r mod n, e, v′:=v+er) is also a valid signature as well. Now, provided that AχS and that r is chosen uniformly at random from {0,1}l
There is a technical consequence from this proof protocol regarding the statements μiε±{0,1}l
The CL Credential System and Attributes: The CL credential system can be used to encode attributes into credentials as follows. In the CL system, each user has a secret identity, i.e. a single secret key sU. A credential issuing party now uses the CL signature scheme to sign the user's secret key as well as all attributes the issuer wants to assert about the user. This signing is of course done in a “blind” way such the issuer does not learn the user's secret key. Thus, the user will have obtained a signature (A, e, v) such that Z≡±R0s
Referring to
The control logic 5, 7, 9 of these modules is configured for implementing the appropriate steps of processes involving generation and issuing of cryptographic credentials, and making proofs about these credentials, as described in detail below. In general, this control logic may be implemented in hardware or software or a combination thereof, and the specific nature of the prover, verifier and issuer modules is largely irrelevant to fundamental operation of the cryptographic processes to be described. In this example, however, modules 2 to 4 are implemented by general-purpose computers, prover module 2 being a user pc and verifier and issuer modules 3, 4 being servers to which prover pc 2 can connect over network 11. Prover logic 5, verifier logic 7 and credential logic 9 are implemented here by respective computer programs which configure the host computers to perform the functions described. Suitable software will be apparent to those skilled in the art from the description herein.
In this illustrative scenario, the credential system is utilised in an access control process. In particular, in order for user pc 2 to access a service, such as a restricted web site, hosted by verifying server 3, prover logic 5 must demonstrate possession of an appropriate cryptographic credential issued by a trusted party, in this case issuing server 4. The basic steps of the access control process are as indicated by arrows (a) to (f) in
In step (a), user pc 2 connects to issuing server 4 to request a credential C certifying a user attribute about which cryptographic proofs are subsequently to be made. Issuing server 4 then verifies the attribute for that user. This can be done in any desired manner, for example by verifying the user's identity and then accessing a secure database containing official information to confirm the user attribute in question. An appropriate credential C is then generated by credential logic 9 and transmitted over network 11 to user pc 2 as indicated by arrow (b). In step (c), user pc 2 connects to verifying server 3 via the network 11 to request access to the required service.
In step (d), verifier logic 7 sends a verification request to prover logic 5 asking for proof of possession of an appropriate credential. More specifically, prover logic 5 must prove to verifier logic 7 whether the attribute encoded in the credential is one of a list of attributes supplied by the verifier logic. Prover and verifier logic 5, 7 then communicate to effect the required cryptographic proof as indicated generally by arrow (e). In step (f), verifying server 3 permits or denies user pc 2 access to the restricted service according to whether or not a satisfactory proof has been made.
Referring to
The issuer's public key becomes (n, R0, . . . , RL-1, S, Z, g, h). The code definition (mapping) is performed as follows. The number of bits that can be encoded into a message field of a CL signature is lm as described earlier, so we can only use primes of length up to lm. We assume initially here that a single, finite-set attribute which can take at most k different values is to be encoded in a credential. The issuer thus chooses lm such that there exist k primes smaller than 2l
The credential generation process is initiated in response to prover 5 issuing a request R for a credential as indicated in
The foregoing system provides the basis for exceptionally efficient proofs in step (e) of
Referring to
Next, prover 5 chooses a sufficiently large random r (about 80 bits larger than n) and computes a commitment D=gEhr mod n. The commitment D is sent to verifier 7 in the second step shown in the figure, whereby the prover commits to the prime number E encoded in the credential without revealing the value E to the verifier; i.e., E remains secret to the prover. Next, prover 5 calculates the product value Q being the product of the supplied prime numbers e1, . . . , el for the attributes on the list. Prover 5 then calculates the value a=Q/E. In the third step shown in the figure, the prover and verifier communicate to implement a zero-knowledge proof (ZKP) protocol.
In implementing this protocol, the prover demonstrates possession of a credential C encoding the same (secret) value E as that committed to in the commitment D by proving knowledge of a CL signature as described earlier. In addition, the protocol implements a zero-knowledge proof demonstrating knowledge by the prover of the secret value a which satisfies a*E=Q. This protocol is defined as follows, where the value a is represented by α here, the number E is represented by μ1, and μ0 is the secret key sU:
PK{(ε,v′,μ0,μ1,ρ,α,ρ′):Z≡±R0μ
The integer a can only exist if E is a factor of Q. Hence, proving knowledge of a proves that E does divide Q. The proof is therefore made that the credential C certifies an attribute on the required list without revealing that attribute to the verifier.
Referring to
In the third step shown in the figure, the prover and verifier communicate to implement a zero-knowledge proof protocol. As before, this protocol demonstrates possession by the prover of a credential C encoding the secret value E committed to in commitment D. In addition, the protocol implements a zero-knowledge proof demonstrating knowledge by the prover of the secret values b and c such that b*E+c*Q=1. This protocol is as follows (where the secret values b and c are represented by α and β here):
PK{(ε,v′,μ0,μ1,ρ,α,β,ρ′):Z≡±R0μ
The two integers b and c only exist if E is not a factor of the product value Q. Hence, proving knowledge of b and c proves that E does not divide Q. The proof is therefore made that the attribute certified by credential C is not on the specified list without revealing the attribute in question to the verifier.
It will be seen from the foregoing that, by encoding attributes as small prime numbers as described, both the positive and negative set membership proofs can be performed with exceptional efficiency. One only needs to prove possession of the credential C and then simple linear relation. The size of the elements a, b, c, E and Q depend on the number of attributes that one needs to be able to handle maximally. In particular, if one needs to be able to encode at most u different attributes (requiring u different primes), then E becomes about u*log u, i.e. about log u+log u bits. If the list has j elements, we additionally need to communicate about j log u bits. This is compared to j group elements required with the traditional methods discussed earlier, which is typically much more.
A plurality of attributes may of course be encoded in the credential C if desired. In this case, each of the attributes a1, . . . , ai can be encoded as a respective prime number E1, . . . , Ei according to the defined mapping of attributes to primes. Each of the prime numbers E1, . . . , Ei can then be encoded in the credential as a respective message m1, . . . mi of the message set on which the CL signature is generated. A proof that more than one of the encoded attributes is or is not on the specified list can be made simply by performing the proofs described above individually for each attribute as required.
Alternatively, it can be proved that a number of the encoded attributes are all on the list by using a modified form of the
In the zero-knowledge proof protocol, the prover demonstrates possession of a credential C on each of the (secret) attribute values E1 and E2. In addition, the protocol proves knowledge by the prover of a secret integer a such that a*X=Q, and that the secret value X is the product of the attribute values E1 and E2. The prime property of the encoded attribute values E1 and E2 means that if X divides Q then each individual attribute value must also divide Q, and hence that each of the attributes is on the verifier's list.
Many changes can of course be made to the embodiments described above. By way of example, instead of defining the attribute list by supplying the list of primes e1, . . . , el encoding the attributes, the list of attributes a1, . . . , al could be provided. The prover could then use the published mapping to determine the encoded values e1, . . . , el and hence the product value Q. Alternatively, for example, the verifier could simply supply the product value Q for the list in question.
In some embodiments, a credential C may be issued for a predetermined attribute or set of attributes. Alternatively, the user could specify the particular attributes to be encoded in a credential, selecting from a predetermined set of attributes which can be certified. A credential could also include other elements as well as the secret user key su and encoded attribute value(s). These elements could then be included as additional messages mi, . . . mL-1 in the CL signature. It will be understood, however, that the techniques described can be applied to credentials generated in other ways than by producing a CL signature.
It will of course be appreciated that, while the credential system is described in the context of an access control scenario above, numerous other applications might employ such a credential system. The present invention can thus be employed in a variety of data processing systems other than the specific example of
Other changes and modifications can be made to the exemplary embodiments described without departing from the scope of the invention.
Claims
1. A computer implemented method for generating a cryptographic credential for use in certifying a plurality of user attributes, the method comprising the steps of:
- receiving, in an issuing server, a request from a computer of a user for said cryptographic credential, wherein the request includes the plurality of attributes;
- verifying the plurality of attributes with a verification request sent by a verifying server, wherein the verification request includes a list identifying one or more of the plurality of attributes and the prime numbers associated with each attribute;
- encoding, using said computer of a user, each attribute as a prime number in accordance with a predetermined mapping of attributes to prime numbers;
- requesting access to a specified service using said computer of a user;
- calculating, using said computer of a user, the product of the prime numbers encoding the attributes; and
- generating, using said computer of a user, an encoding of said product, thus producing the cryptographic credential for use in said certification to grant access to said specified service.
2. A method according to claim 1 wherein the step of generating comprises encoding said product as an exponent in a discrete logarithm representation.
3. A method according to claim 1 wherein the step of generating includes producing a cryptographic signature on a message encoding said product.
4. A method according to claim 1 further comprising the step of transmitting the cryptographic credential to a receiving module via a data communications channel.
5. A method according to claim 1 further comprising the step of recording the cryptographic credential on an information storage medium.
6. A non-transitory computer readable medium tangibly embodying computer executable program instructions for causing a computer to perform a method for generating a cryptographic credential certifying a plurality of user attributes according to claim 1.
7. A computer implemented method for determining, in a verifying module of a data processing computer system, whether a cryptographic credential associated with a proving module of the system certifies a specified user attribute, said cryptographic credential encoding the product E of a plurality of prime numbers each encoding a respective user attribute in accordance with a predetermined mapping of attributes to prime numbers, the method comprising the steps of:
- receiving, in an issuing module, a cryptographic credential request from the proving module, which includes the specified user attribute;
- sending a verification request from the verifying module to the proving module, wherein the verification request includes a list of at least the specified user attribute and the prime number associated therewith;
- sending a request, from the proving module, to access a specified service by communicating with the verifying module to demonstrate possession of said cryptographic credential encoding said product E; and
- determining whether a prime number e encoding said specified attribute in accordance with said mapping divides the value E encoded in the credential, thus certifying the specified user attribute.
8. A method according to claim 7 for proving that the cryptographic credential does certify the specified attribute, the method including:
- demonstrating possession of said credential without revealing said product E value to the verifying module; and
- communicating with the verifying module to prove knowledge of a secret number a such that a*e=E.
9. A method according to claim 7 for proving that the cryptographic credential does not certify the specified attribute, the method including:
- demonstrating possession of said credential without revealing said product E value to the verifying module; and
- communicating with the verifying module to prove knowledge of secret numbers b and c such that b*E+c*e=1.
10. A method according to claim 7 including the further step of determining, in said computer, whether the product x of respective prime numbers encoding said plurality of attributes in accordance with said mapping divides the value E encoded in the credential.
11. A non-transitory, computer readable medium tangibly embodying computer executable program instructions for causing the computer to perform the steps of a process according to claim 7.
12. A computer implemented method for proving to a verifying module of a data processing computer system that a cryptographic credential associated with a proving module of the system certifies at least one of a predetermined set of user attributes, said cryptographic credential encoding the product E of a plurality of prime numbers each prime number encoding a respective user attribute in accordance with a predetermined mapping of attributes to prime numbers, the method comprising the steps of:
- receiving, in an issuing module, a cryptographic credential request from the proving module;
- sending a verification request from the verifying module to the proving module, wherein the verification request includes a list of at least one of the set of the predetermined user attributes and the prime number associated therewith;
- sending a request, from the proving module, to access a specified service;
- demonstrating to the verifying module possession of the cryptographic credential encoding E; and
- communicating with the verifying module to prove possession of a secret number d which divides both the value E encoded in the credential and a value Q that is the product of respective prime numbers encoding the attributes in said set in accordance with said predetermined mapping of attributes to prime numbers, thus proving said certification.
13. Apparatus for generating a cryptographic credential certifying a plurality of user attributes, the apparatus comprising a processor device and control logic configured to:
- request the cryptographic credential;
- receive a verification request that includes a list identifying one or more of the plurality of user attributes and the prime numbers associated therewith;
- encode each attribute as a prime number in accordance with a predetermined mapping of attributes to prime numbers;
- request access to a specified service;
- calculate the product of the prime numbers encoding the attributes; and
- generate a cryptographic credential encoding said product.
14. Apparatus according to claim 13 wherein the control logic includes means adapted for generating the cryptographic credential by encoding said product as an exponent in a discrete logarithm representation.
15. A computer implemented method for determining in a verifying module of a data processing system whether a user attribute encoded in a cryptographic credential associated with a proving module of the system is a member of a predetermined set of user attributes, the cryptographic credential encoding said user attribute as a prime number E in accordance with a predetermined mapping of attributes to prime numbers, the method comprising the steps of:
- receiving, in an issuing module, a cryptographic credential request, which includes the user attribute;
- sending a verification request from the verifying module to the proving module, wherein the verification request includes a list identifying a list of at least one of the set of the predetermined user attributes and the prime number associated therewith;
- sending a request, from the proving module, to access to a specified service;
- determining, using said computer of a user, a product value Q which is the product of respective prime numbers corresponding to the attributes in said set in accordance with said predetermined mapping of attributes to prime numbers;
- communicating with the verifying module to demonstrate possession of a cryptographic credential encoding a secret value that is said prime number E; and
- demonstrating to the verifying module that said secret value divides the product value Q, thus demonstrating that said user attribute is a member of said set.
16. A method according to claim 15 for proving that said user attribute is a member of said predetermined set, the method further including the step of communicating with the verifying module to prove knowledge of a secret number a such that a*E=Q.
17. A method according to claim 15 for proving that said user attribute is not a member of said predetermined set, the method including the further step of communicating with the verifying module to prove knowledge of secret numbers b and c such that b*E+c*Q=1.
18. A method according to claim 15 for proving that a plurality of user attributes, encoded in the cryptographic credential as respective prime numbers in accordance with said predetermined mapping, are each members of said set, the method further comprising the steps of:
- communicating with the verifying module to demonstrate possession of a cryptographic credential encoding respective secret values that are said prime numbers encoding the plurality of user attributes;
- calculating an attribute product X that is the product of the prime numbers encoding said plurality of user attributes; and
- communicating with the verifying module to prove knowledge of a secret number a such that a*X=Q.
19. A non-transitory, computer readable medium tangibly embodying computer executable program instructions for causing the computer to perform the steps of a process according to claim 15.
20. A computer implemented method for verifying at a verifying module of a data processing computer system whether a user attribute encoded in a cryptographic credential associated with a proving module of the system is a member of a predetermined set of user attributes, the cryptographic credential encoding said user attribute as a prime number E in accordance with a predetermined mapping of attributes to prime numbers, the method comprising the steps of:
- receiving, in an issuing module, a request from the proving module for a cryptographic credential, wherein the request includes one or more user attributes;
- receiving, in the proving module, a verification request that includes a list of at least one of the set of the predetermined user attributes and the prime number associated therewith;
- communicating with the proving module to retrieve a request to access a specified service;
- communicating with the proving module to verify possession by the proving module of a cryptographic credential encoding a secret value E; and
- communicating with the proving module to determine whether said secret value divides a product value Q that is the product of respective prime numbers corresponding to the attributes in said set in accordance with said predetermined mapping of attributes to prime numbers.
21. A method according to claim 20 for verifying that said user attribute is a member of said predetermined set, the method including communicating with the proving module to verify knowledge by the proving module of a secret number a such that a*E=Q.
22. A proving module of a data processing computer system for proving to a verifying module of the system whether a user attribute encoded in a cryptographic credential associated with the proving module is a member of a predetermined set of user attributes, the cryptographic credential encoding said user attribute as a prime number E in accordance with a predetermined mapping of attributes to prime numbers, the proving module comprising (i) a communications interface for communicating with the verifying module and (ii) control logic configured to:
- request the cryptographic credential;
- receive, in response to the cryptographic credential request, a list of at least one of the set of the predetermined user attributes and the prime numbers associated therewith;
- determine a product value Q that is the product of respective prime numbers corresponding to the attributes in said set in accordance with said predetermined mapping of attributes to prime numbers;
- request access to a specified service;
- communicate with the verifying module via said communications interface to demonstrate possession of a cryptographic credential encoding a secret value that is said prime number E; and
- communicate with the verifying module via said communications interface to prove whether said secret value divides the product value Q.
23. A proving module according to claim 22 wherein the control logic is configured to communicate with the verifying module to prove knowledge of a secret number a such that a*E=Q.
24. A proving module according to claim 22 for proving that a plurality of user attributes, encoded in the cryptographic credential as respective prime numbers in accordance with said predetermined mapping, are each members of said set, the control logic being further configured to:
- communicate with the verifying module to demonstrate possession of a cryptographic credential encoding respective secret values that are said prime numbers encoding the plurality of user attributes;
- calculate an attribute product X that is the product of the prime numbers encoding said plurality of user attributes; and
- communicate with the verifying module to prove knowledge of a secret number a such that a*X=Q.
6189036 | February 13, 2001 | Kao |
6871276 | March 22, 2005 | Simon |
8001384 | August 16, 2011 | Yamamoto et al. |
20070121936 | May 31, 2007 | Guillou et al. |
20070226798 | September 27, 2007 | Sibert |
20080152148 | June 26, 2008 | Sudhakar et al. |
20080162484 | July 3, 2008 | Yoshida |
20080165956 | July 10, 2008 | Zhu et al. |
- J. Camenisch, et al., “A Signature Scheme with Efficient Protocols”, Security in Communications Networks, Third Intl. Conference, SCN 2002, vol. 2576, pp. 268-289, 2003.
- J. Camenisch, et al., “An Efficient System . . . Revocation”, Advances in Cryptology—Eurocrypt 2001, Vo. 2045 of Lecture Notes in Computer Science, pp. 93-118, 2001.
- R.L. Rivest, et al., “A Method for Obtaining . . . Cryptosystems”, Communications of the ACM, 21(2): 120-126. Feb. 1978.
- T. Pedersen, “Non-Interactive and Information . . . Sharing”, Advances in Cryptology—CRYPTO '91, vol. 576 of Lecture Notes in Computer Science, pp. 129-140, 1992.
- I. Damgard, et al., “An Integer Commitment . . . Order”, http://eprint.iacr.org/2001, 2001.
- J. Camenisch, et al., “Efficient Group Signature . . . Groups”, Advances in Cryptology—CRYPTO '97, vol. 1296 of Lecture Notes in Computer Science, pp. 410-424, 1997.
- A. Fiat, et al., “How to Prove Yourself, . . . Problems”, Advances in Cryptology—CRYPTO '86, vol. 263 of Lecture Notes in Computer Science, pp. 186-194, 1987.
Type: Grant
Filed: Aug 24, 2012
Date of Patent: Aug 26, 2014
Patent Publication Number: 20120324231
Assignee: International Business Machines Corporation (Armonk, NY)
Inventors: Jan Leonhard Camenisch (Zurich), Thomas R Gross (Zurich)
Primary Examiner: Jung Kim
Assistant Examiner: Adrian Stoica
Application Number: 13/594,306
International Classification: H04L 29/06 (20060101);